Your Mobile Password Manager Might Be Exposing Your Credentials
A recent discovery has revealed a vulnerability in the autofill functionality of Android apps, which can expose users’ saved credentials from mobile password managers. Dubbed ‘AutoSpill,’ this vulnerability allows malicious apps to circumvent Android’s secure autofill mechanism and access sensitive information.
The Vulnerability Explained
Researchers at IIIT Hyderabad, Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava, discovered the AutoSpill vulnerability while testing popular password managers such as 1Password, LastPass, Keeper, and Enpass on new and up-to-date Android devices. The researchers found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled.
When an Android app loads a login page in WebView, password managers can become ‘disoriented’ about where they should target the user’s login information. Instead of autofilling credentials into the intended field, they expose their credentials to the underlying app’s native fields.
How AutoSpill Works
Gangwal explained that when a user tries to log into an app using a password manager, the following sequence of events occurs:
- The music app opens a Google or Facebook login page inside itself via WebView.
- When the password manager is invoked to autofill credentials, it ideally should fill in only the intended field (Google or Facebook login page). However, due to the AutoSpill vulnerability, the password manager can accidentally expose the credentials to the base app.
Risks and Ramifications
Gangwal notes that the ramifications of this vulnerability are significant, particularly in scenarios where the base app is malicious. He added: "Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information."
Testing and Results
The researchers tested the AutoSpill vulnerability using various popular password managers and found that:
- Most apps were vulnerable to credential leakage, even with JavaScript injection disabled.
- When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability.
Response from Affected Parties
Gangwal reports that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.
1Password released a statement saying that they take user security seriously and have measures in place to prevent such vulnerabilities.
LastPass confirmed that hackers stole customers’ password vaults, but they claim to have taken steps to mitigate the damage.
Keeper and Enpass have not made any statements regarding the AutoSpill vulnerability.
What Users Can Do
To protect themselves from the AutoSpill vulnerability:
- Use a reputable password manager with robust security features.
- Enable two-factor authentication (2FA) whenever possible.
- Regularly update Android apps and operating systems to ensure you have the latest security patches.
Conclusion
The AutoSpill vulnerability highlights the need for robust security measures in mobile apps, particularly when it comes to autofill functionality. Users must be vigilant and take necessary precautions to protect their sensitive information from falling into the wrong hands.
